Making your WordPress site secure

To new users of WordPress that are not very tech-savvy, the topic of security can be a little traumatizing at first, especially when they do some research on the internet and find all the technical instructions around SSL, cookies and tokens etc. (have I lost you already?). However, securing your work is fundamental, and just because you have a little private blog it doesn't mean that you could not be attacked. Nowadays, attacks on WordPress sites are mostly automated and as soon as your site gets indexed by Google (which you obviously want to!), the risk of making it on the list of installations to attack increases significantly.

There is another problem though. WordPress relies heavily on third party plugins. While the community usually evaluates the quality of these plugins, it is not always a given that plugins don't create vulnerabilities. There are many cases where plugins (even though they were updated), created security issues which were exploited by hackers.

So, how can you as a non-tech-savvy user ensure that your WordPress site is reasonably secure? Again, it's not about securing your web site to CIA standards, however hackers are more likely to look for easier victims and leave you in peace, if they realize your site is a bit more difficult to hack.

A few things to bear in mind:

As per the default installation of WordPress, the system is reasonably secure so you don't have to be fearful that as soon as you put your blog online it will be attacked. A good admin password will already make your site a lot securer than many others and hence reduce the risk of an attack. Try out www.lastpass.com if you have a hard time remembering complex passwords. It's a great tool to maintain passwords and generate complex ones without having to remember them!

By default, all WordPress sites have a few things in common: the database prefix is "wp_", which is just a measure by WordPress to identify any database table that belongs to WordPress, in the case that you have only one database and multiple programs installed. This can be a security risk, as hackers know exactly what to look for. Make sure, you change this "wp_" to something different at the moment of installation, i.e. "myblog_". Sounds silly, helps a lot, though!

Try to avoid calling your site admin admin. Again, sounds silly, but it's a lot harder for an attacker to guess your admin name if you call it "blog-master" or something like that.

Don't use your admin name to create content on your WordPress site, try and keep the admin aspects and content aspects organized under different users. The content creation user will not need admin rights, so you can assign "editor" or "author" rights if you wish.

From the perspective of what you can do at the moment of installation, this is pretty much it.

The next step is to see how security plugins can help you make your site more secure. We need to distinguish three types of security plugins:

the first type of plugins will make sure your installation is secure, meaning that your files are protected and can't be accessed or modified directly. For those of you on Linux (most shared hosting is on Linux), this is identified by the "permission" flag that every file has. This flag defines who can do what with a file. You don't have to worry about that, security plugins can identify this and change the settings if needed.

the second type of plugins falls under the category of intrusion detection and denial. What these plugins do is to make it a real pain for anybody to want to hack your site. As mentioned earlier, this usually leads people to search for easier victims. Intrusion detection monitors the health of your files and advises you if something strange is happening. Often, people don't realize their site has been hacked, but in the meantime, Viagra emails are sent out using your server. The denial component pretty much slams the door in the face of an attacker, for example by locking out for a visitor who is trying out 100 different passwords for the admin account of your WordPress installation.

the third type of security plugins are more of a security assessment. They are on -demand scans of your setup, think of it like your antivirus software that you only launch once in a while to do a complete scan.

Below we ware listing a few of the plugins that can make your web site a lot securer. Have a look at them, using any of these is already a lot better than not having anything installed!

A word of warning: it is usually not recommendable to use multiple security plugins at the same time, as their functionality might conflict and lock you out of your site. Always make a backup before installing new things!